Golddigger And Gigabud Android Malware Attacking Airlines Customers

Gigabud, an Android banking trojan impersonating authorities entities, on the initiating targeted Thailand, the Philippines, and Peru. Its source code critically overlaps with Golddigger, but every other Android banking trojan targeting Vietnam.

It indicates a shared risk actor who has expanded Gigabud’s scope to embody Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, demonstrating elevated sophistication and geographic targeting.

Researchers possess stumbled on phishing sites mimicking Google Play to disseminate Gigabud malware, which hide themselves as South African Airways and Ethiopian Airlines to trick users into downloading malicious apps.

The alignment of malware samples from South Africa and the employ of African airline subject matters indicate risk actors possess broadened their targeting to embody each South Africa and Ethiopia.

Gigabud malware has expanded its targeting to embody Mexico and Indonesia, impersonating HeyBanco and M-Pajak, respectively, thru unfaithful login pages.

The malware’s distribution has surged since June 2024, indicating a heightened campaign.

It shares code similarities with Golddigger, suggesting a general risk actor on the support of every, and the employ of numerous icons to mimic reliable entities underscores its social engineering tactics aimed at deceiving victims.

Unique Gigabud malware samples possess been known, leveraging the Virbox packer to obfuscate their malicious nature, which employs evasion tactics identical to Golddigger malware, exploiting the zip file format, and abuse critically hinders detection and diagnosis by security alternatives.

Prognosis of unique Gigabud samples finds a valid resemblance to Golddigger malware. Both utilize a local library, “libstrategy.so,”  to specialise in disclose UI ingredients within banking apps.

Gigabud builds upon Golddigger’s performance by incorporating strengthen for further banking functions, together with Yape (Peru) and Dutch-Bangla Financial institution Rocket (Bangladesh), which highlights the evolving capabilities of Gigabud and the necessity for heightened vigilance in opposition to such mobile banking threats.

Fresh samples beforehand attributed to Golddigger malware possess been reclassified as Gigabud after unpacking diagnosis published shared libraries and courses with identified Gigabud variants.

A brand contemporary unpacked Gigabud pattern, disbursed thru a phishing residence, lacks Virbox packing however maintains code similarities to older versions, in particular in unfaithful bank dialog field shows.

Fresh Gigabud malware samples leverage Retrofit for C&C communication and embody endpoints for importing numerous user data cherish contacts, SMS, and show screen screen recordings.

Parsed UI inform IDs of targeted bank functions within the Technique native file

The malware additionally employs the libstrategy.so library, which is additionally used by Golddigger malware, to specialise in disclose UI ingredients of banking apps to care for shut financial data, whose reuse suggests the identical risk actor is on the support of every malware lines.

Prognosis by Cyble Intelligence and Learn Labs shows valid links between Golddigger and Gigabud malware, suggesting a single attacker, while the unique raise in Gigabud samples and shared tactics indicates more sophisticated tactics and a magnificent broader purpose differ.

Unique ingredients and assaults in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia highlight the evolving risk, while the shared code, identical phishing, and impersonation tactics ascertain the connection and necessitate heightened vigilance and evolved defenses.